This privacy notice regarding the processing of personal data (hereinafter the “Privacy Notice”) is provided, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter also the “Regulation” or “GDPR”), by Fondazione La Biennale di Venezia (hereinafter the “Fondazione” or “La Biennale” or “Data Controller”) in order to explain the methods and purposes for which the personal data of users (hereinafter also “Data Subject” or “Data Subjects”) who access, browse, and use the Data Controller’s websites (https://www.labiennale.org/it; https://store.labiennale.org/; https://veniceproductionbridge.org/) (hereinafter also “Website” or “Websites”) are processed.
The provisions set forth in this Privacy Notice shall apply to anyone who browses the Website or uses its services, and, in any case, to all natural persons whose personal data are collected and processed in the context of the services offered through the Website. For certain services, the Data Controller reserves the right to provide a specific notice that may, from time to time, supplement or modify this Privacy Notice; in the event of any conflict, the terms of the specific notice relating to the particular service shall prevail.
The Data Controller is Fondazione La Biennale di Venezia, with registered office in Venice, Ca’ Giustinian, San Marco 1364/A – 30124,VAT n. 00330320276.
The Data Controller may be contacted at the following email address: privacy@labiennale.org.
The Data Controller has appointed a Data Protection Officer (“DPO”), who may be contacted at the following email address: dpo_labiennale@labiennale.org.
Within the limits of the purposes and methods described in this Notice, the Data Controller may process the following categories of personal data (hereinafter also referred to as the “Personal Data” or Data”):
a) Browsing Data: The IT systems and software procedures that support the operation of the Website collect certain data (e.g., IP addresses; domain names of the devices used by users to visit the Website; date and time of access; type of resources requested; method used to submit requests to the server; further data and parameters regarding the interaction between the user and the Website and the user’s device). Such data are processed in order to obtain anonymous statistical information on Website usage, to ensure its proper functioning, and to prevent cyber fraud.
b) Cookies and Other Tracking Systems: With regard to data collected through cookies, please refer to the Cookie Policy available in the footer of the Websites.
c) Identification Data: The Data Controller may collect personal identification data of the Data Subject, such as, by way of example, first name, last name, address, and tax identification number.
d) Contact Data: Contact information of the Data Subject, such as email address and telephone number, may also be processed.
e) Any additional Personal Data provided by the Data Subject: The Data Controller may become aware of additional information voluntarily provided by the Data Subject through the contact details or forms made available by the Data Controller on the Website.
The Data Controller will process the Data Subject’s Personal Data in order to enable them to use the services and functionalities of the Website. In particular, the processing carried out through the Website pursues the following purposes:
a) Ensuring Website Navigation and Proper Functioning
The Data Controller will process the browsing data referred to in point a) of the previous paragraph to ensure the proper functioning of the Website and to allow adequate navigation within it.
This processing is based on the legitimate interest of the Data Controller to guarantee the functionality of the Website and to prevent potential fraud, pursuant to Article 6(1)(f) of the Regulation. The Data Subject has the right to object to this processing at any time by writing to: dpo_labiennale@labiennale.org; in such a case, the user will be prevented from using the services offered through the Website, and the Data Controller will refrain from further processing, unless there are overriding legitimate grounds.
b) User Account Management
The Data Controller will process the Data Subject’s personal identification and contact data in order to allow the creation and management of a personal account on the Website. This processing will occur only when the Website requires or allows such account creation to access specific services (e.g., purchasing editorial products through the Website or accessing reserved functionalities related to accreditations or archival services).
The legal basis for this processing is Article 6(1)(b) of the Regulation, as it is necessary for the performance of pre-contractual and contractual measures requested by the Data Subject.
c) Online Ticket Sales
The Data Controller will process the Data Subject’s data to facilitate online ticket orders; to complete the purchase, the Data Subject will be redirected to a third-party e-ticketing platform, which acts as an independent Data Controller and will provide its own specific notice.
This processing is based on the performance of pre-contractual measures (Article 6(1)(b) of the Regulation).
d) Purchase of Merchandising Products in the ShopThe Data Controller may process the Data Subject’s data to facilitate access to the online shop section dedicated to purchasing merchandising products. To complete the purchase, the Data Subject will be redirected to a third-party e-commerce platform, acting as an independent Data Controller, which will provide a specific privacy notice concerning its processing activities.
This processing is based on the execution of pre-contractual measures requested by the Data Subject (Article 6(1)(b) of the Regulation).
e) Purchase of Editorial Products
The Data Controller may process the Data Subject’s data to manage orders for products available in the “Buy Online – Publications” section of the Website (https://store.labiennale.org ).
The legal basis for this processing is the performance of a contract pursuant to Article 6(1)(b) of the Regulation.
f) Management of Accreditation Requests
The Data Controller may process the Data Subject’s data to handle accreditation requests, allowing access to benefits such as priority entry or exclusive participation in certain events organized by the Foundation.
This processing is based on the performance of a contract (Article 6(1)(b) of the Regulation); a specific notice is available in the “Accreditations” section of the Website.
g) Management of Biennale Card Requests
The Data Controller may process the data provided by the Data Subject via the contact channels available on the Website to receive, evaluate, and process requests for the issuance of the Biennale Card. For the completion of the purchase and payment, the Data Subject will be redirected to an external ticketing system (e-ticketing platform) managed by a third-party, acting as an independent Data Controller, which will provide a specific privacy notice.
This processing is based on the execution of a contract (Article 6(1)(b) of the Regulation); a specific notice is available in the “Biennale Card” section of the Website.
h) Sending Informational and Promotional Communications
With prior consent, the Data Controller may process the Data Subject’s personal identification and contact data to send informational and promotional communications via email (e.g., newsletter, Google Forms, promotional emails, invitations) regarding updates on events, initiatives, offers, and surveys, and to manage these activities in case of participation.
The legal basis for this processing is the consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation. Under Article 7(3) of the Regulation, the Data Subject may withdraw consent at any time by writing to dpo_labiennale@labiennale.org or, where provided, through the opt-out option; however, withdrawal of consent does not affect the lawfulness of processing based on consent given before withdrawal.
i) Management of “Carbon Impact”
The Data Controller may process the Data Subject’s Personal Data, such as, by way of example, country and city of origin, reasons for travel, means of transport used, and dates of arrival and departure, to estimate the environmental impact generated by public and staff participation in events organized by the Foundation.
The legal basis for this processing is the legitimate interest of the Data Controller pursuant to Article 6(1)(f) of the Regulation. The Data Subject has the right to object to this processing at any time by writing to dpo_labiennale@labiennale.org ; in such a case, the Data Controller will refrain from further processing unless there are compelling legitimate grounds overriding the interests and rights of the Data Subject.
j) Participation in Calls and Institutional Projects
Data relating to personal identification, contact details, and information entered by the Data Subject in application forms available on the Website (e.g., for participation in calls, projects, or training initiatives within the artistic programming of each sector or institutional initiatives promoted by the Biennale) are processed by the Data Controller to evaluate the Data Subject’s application for the chosen initiative and manage any subsequent stages of the related procedure.
The legal basis for this processing is Article 6(1)(a) of the Regulation, as the Data Subject gives consent for the processing of their personal data for the preparatory activities necessary to participate in the call or project organized by the Foundation.
k) Staff Recruitment
Data relating to personal identification and contact details are processed by the Data Controller to evaluate the suitability of the application for potential job or internship positions or for spontaneous applications submitted through the form available on the Website.
The legal basis for this processing is Article 6(1)(a) of the Regulation, as the Data Subject provides consent for the processing of their personal data for the specific purposes outlined above. A specific notice is available in the “Work with Us” section of the Website.
l) Compliance with Legal Obligations
The Data Controller may process the Data Subject’s Personal Data when processing is necessary to comply with obligations provided by national and/or European laws. This processing is carried out pursuant to Article 6(1)(c) of the Regulation, as it is necessary to fulfill a legal obligation to which the Data Controller is subject.
m) Archiving for Public Interest Purposes
The Data Controller may process certain Personal Data of the Data Subject for purposes of archiving in the public interest, in accordance with Article 89 of the Regulation, where such data have particular historical, cultural, or documentary interest in relation to the institutional activities of the Foundation. These data may be permanently stored in the Historical Archive of Contemporary Arts (ASAC).
n) Management of the “Bacheca Biennale” Service
The Data Controller may process personal identification data, contact details, and documentation submitted by individuals requesting the inclusion of an exhibition space in the “Bacheca Biennale” area of the Website via the dedicated online form, which references this Notice, including a copy of an identity document, technical declarations certifying the suitability of the premises, and images of the spaces. The data are processed to manage the insertion request, verify compliance with the required criteria, and, where appropriate, publish the related information on the institutional Website.
The legal basis for this processing is Article 6(1)(a) of the Regulation, as the Data Subject gives consent for the processing of personal data for preparatory activities connected with managing the insertion request and publication of the listing within the “Bacheca Biennale” service. Under Article 7(3) of the Regulation, the Data Subject may withdraw consent at any time by writing to dpo_labiennale@labiennale.org or, where provided, via the opt-out option; however, withdrawal of consent does not affect the lawfulness of processing based on consent given before withdrawal.
The provision of the Data Subject’s information to the Data Controller is necessary for the execution of the services requested. Therefore, if they decide not to provide the Data marked as mandatory, the Foundation will not be able to provide the requested services.With regard to the collection of Data indicated as optional, failure to provide them may result in a limited use of the requested services.
The Data Controller will process Personal Data in compliance with the principles set out in the Regulation. Processing may also be carried out using automated methods and tools, always in accordance with the security measures provided for in Article 32 GDPR, by persons specifically appointed for the processing in compliance with Article 29 GDPR. Security measures will be employed to ensure the confidentiality of the Data Subject to whom the data relate and to prevent unauthorized access by third parties or personnel. Only personal data that are adequate, relevant, and limited to what is necessary for the purposes for which they are collected will be processed. The Data will not be used for purposes other than those described in this Privacy Notice, unless the Privacy Notice is updated in advance by the Data Controller.
Personal Data will be retained only for the time strictly necessary to achieve the purposes for which they were collected. In particular:
●
For the purpose referred to in letter (a) of paragraph 4 of this Privacy Notice, the Data will be retained for the time necessary to allow navigation on the Site and, in any case, for a period not exceeding 7 days, unless legal obligations or requests from competent Authorities require an extension of the retention period.
●
For the purposes referred to in letters (b), (c), (d), (e), (f), and (g) of paragraph 4 of this Privacy Notice, the Data of the Data Subject will be retained for 10 years from the termination of the relevant service, unless further retention is required by law or for the defense of the Data Controller’s rights in court.
●
For the purpose referred to in letter (h) of paragraph 4 of this Privacy Notice, the Data will be retained for a maximum period of 24 months, unless the Data Subject withdraws consent earlier.
●
For the purpose referred to in letter (i) of paragraph 4 of this Privacy Notice, the Data will be retained for the time necessary to perform analyses related to carbon impact and, in any case, for a period not exceeding 24 months.
●
For the purpose referred to in letter (k) of paragraph 4 of this Privacy Notice, Personal Data will be retained as follows:
-
In the case of establishing an employment relationship, the candidate’s data will be retained for the entire duration of the employment and subsequently processed in accordance with the specific notice provided to employees;
-
In all other cases, the Data Controller may retain the candidate’s data for a maximum period of 24 months from collection, in order to possibly contact the Data Subject again if new positions matching their profile become available.
●
For the purpose referred to in letter (j) of paragraph 4, the Data will be retained for the time strictly necessary to manage the activity or initiative in which the Data Subject has expressed interest and, in any case, for a period not exceeding 24 months.
●
For the purpose referred to in letter (l) of paragraph 4 of this Privacy Notice, Personal Data will be retained for the period provided by specific regulatory provisions requiring the processing and, in any case, for the time strictly necessary to fulfill the related legal obligations.
●
For the purpose referred to in letter (m) of paragraph 4 of this Privacy Notice, Personal Data of particular historical, cultural, or documentary interest may be subject to permanent retention at the Historical Archive of Contemporary Arts (ASAC), in compliance with the provisions of Article 89 of the Regulation.
In relation to the purposes described above, Personal Data may be disclosed to third parties who process personal data on behalf of the Data Controller, specifically appointed as Data Processors and required to comply with the obligations established by data protection legislation. The list of Data Processors pursuant to Article 28 GDPR can be consulted by writing to the following address: privacy@labiennale.org .
Where required by law, Data may also be disclosed to parties acting as Independent Data Controllers (for example, judicial authorities, social security institutions, or e-ticketing platforms). The Personal Data provided will not be disclosed to any other parties, nor will they, under any circumstances, be made public.
In the event that Personal Data are transferred outside the European Economic Area, the transfer will be carried out using standard contractual clauses adopted by the European Commission under Decision 2021/914 and any subsequent amendments, or on the basis of an adequacy decision by the Commission, or any other appropriate mechanism provided for under Chapter V of the GDPR.
The Data Subject may obtain information on the location to which the Data has been transferred and a copy of such Data by writing to privacy@labiennale.org.
In accordance with applicable law, the Data Subject may exercise the following rights:
● Right of access: request and obtain confirmation of the existence of their personal data held by the Data Controller, as well as information on the processing of such personal data, and access to the data themselves.
● Right to data portability: request and receive their personal data in a structured, commonly used, and machine-readable format; they may also request the transfer of such data to another Data Controller.
● Right to rectification: request and obtain the correction and/or updating of inaccurate or incomplete data.
● Right to erasure and restriction of processing: request and obtain the deletion and/or restriction of processing of their personal data if the data are unnecessary, or no longer necessary, for the purposes for which they were collected.
To exercise the rights listed above or to request information, the Data Subject may write to dpo_labiennale@labiennale.org .
This Privacy Notice may be subject to amendments and updates in order to reflect any new processing activities or ongoing processing, as well as to comply with subsequent changes in applicable data protection legislation.
Data Subjects are therefore encouraged to review its contents periodically. Where possible, the Data Controller undertakes to promptly notify any changes made and their respective implications.
The updated version of the Privacy Notice will, in any case, be published on this page, indicating the date of its most recent update.